Table of Contents Previous Next
Common Issues
The following describes common issues and questions related to GADS.
Configuration Manager
When creating an exception rule, the dialog box does not have an OK button.
You may be using a font that is too large for the screen. The dialog box does not work with Extra Large Fonts or Large Fonts. Change your font size, or edit your XML file directly.
What port numbers should be used in GADS when connecting to Global Catalog server?
By default, GADS connects to an LDAP server with the standard LDAP port 389 to query users from a single domain/LDAP server.
If you need to query users over multiple domains/LDAP servers that have trust relationship, configure GADS to connect to a Global Catalog server with the standard Global Catalog server port 3268.
User Sync Errors
Error Message: You are not authorized to access this API
Confirm that you are using Google Apps for Business, Partners, Government, or Education.
Enable APIs on your Google Apps domain, as described in Enable APIs.
How does GADS handle suspended users?
GADS is unable to detect suspended users, and will not try to delete them. If Google Apps Directory Sync tries to add a suspended user, you will see an error message: EntityAlreadyExists (1300).
Error Message: DomainUserLimitExceeded (error code 1200)
You attempted to add more users than you have licensed seats. Contact your sales representative to purchase more user licenses, or change your LDAP queries to synchronize fewer users.
Where can I find a list of other error messages and their meanings?
Other error messages are listed in the Error Codes section of the Google Apps Provisioning API Developer’s Guide.
Group Sync Errors
Groups with over 1500 members in my Active Directory server members aren’t syncing correctly.
Make sure you have selected MS Active Directory in the Server Type field of the LDAP Configuration section.
Synchronization Rules
Users are getting recreated on every sync
This happens when the LDAP attribute configured as the Group Name Attribute does not contain a full email address.
To resolve this issue, check your Group Search rules and make sure that GADS uses a full email address for the group names. Use one of the following methods:
*
Set the Group Name Attribute to a different LDAP attribute that specifies a full email address for each group, such as mail.
*
Enable “Replace domain named in LDAP email addresses (of users and groups) with this domain name” in Google Apps Settings, so that your Group Name Attribute matches the Google-side group names.
*
Add the domain name to the group name by specifying a Group Name Suffix in your Group Search Rule.
A group rule or exclusion rule doesn’t seem to be doing anything.
Check the scope of the rule. You may need to set the scope to SUBTREE.
A group rule generates errors.
Check the Group Search Attribute in LDAP Configuration. This is the field that contains the email address of a group. In most cases, this will be mail.
How can I exclude a specific LDAP organization?
You cannot create an LDAP rule to exclude users in a specific LDAP organization. Instead, limit the authority of the LDAP Administrator you use, removing access to any OUs you do not want to synchronize.
Connections and Security
What specific ports and URLs need to be accessible for Directory Sync to function?
Please note that this information can change over time. For the latest information, check for updates.
Directory Sync currently accesses the following URLs:
Purpose
URL
Port Number
Authentication
https://www.google.com
443
All Feeds
https://apps-apis.google.com
443
Certificate Revocation List Processing
http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crl
80
Certificate Authority
http://crl.verisign.net
80
For an up-to-date list of Google IP addresses, run a DNS TXT lookup of the subdomain _netblocks.google.com.
If GADS is unable to connect to the revocation list providers, you may see the following error in your GADS log file:
PKIX path validation failed: java.security.cert.CertPathValidatorException: revocation status check failed: no CRL found
The proxy environment requires a password challenge for external web access.
GADS can use a proxy server but cannot respond to password challenges. To run synchronization, you will need to change your network setup to allow Directory Sync to connect without a password challenge, or without a proxy server.
I cannot simulate a synchronization because the notifications server is not specified.
To run a simulated synchronization, you will need a server capable of sending mail. If you are running Directory Sync on a mail server machine, you can use the IP address 127.0.0.1 for your mail server. Otherwise, contact your mail administrator for the correct mail information.
How securely are passwords stored?
GADS stores passwords using a two-way encryption scheme. This protects your sensitive information from casual snooping or reverse engineering.
To convert a configuration file to the new format with encrypted passwords:
1.
Open the file in Configuration Manager.
2.
Save the file again.
You can also upgrade the file with the following command-line executable:
upgrade-config -c [filename]
where [filename] is the name of the XML configuration file to upgrade.
Note:
Configuration files for version 1.3.11 or later are not compatible with earlier versions.
LDAP Directory Server
The Base DN information doesn’t seem to be correct.
Check to be sure your Base DN doesn’t include any spaces.
How do I find out information about my LDAP server fields?
You will need to download an LDAP browser. An LDAP browser allows you to browse through an LDAP directory server and identify all fields and values. Many directory servers do not include a complete LDAP browser. For information on LDAP browsers, see Step One: Install LDAP Browser.
An LDAP query that includes a wildcard isn’t working with Lotus Domino LDAP
Lotus Domino has a setting for “Minimum characters for wildcard search” that controls how wildcard LDAP searches work. Update your search to include more characters, or change this setting to a lower number.
*
Related Topics
*
About Troubleshooting
*
System Tests
*
Escalating Problems
*
Getting Started
*
Step One: Install LDAP Browser
*
LDAP Queries